Major Identity Theft Protection Firm Compromised…

In a late day announcement, it was revealed that a major anti-identity theft company has been hit by a massive data breach that resulted in the loss of the personal information of tens of millions of customers. Citizens that have already been hit by one or more of the many data breaches that have occurred of the past couple of years are in shock, wondering what they will do now…

Yeah, this didn’t actually happen, not today at least, but one day and probably one day soon, I feel positive it will and when it does, it just might be the wake-up call to users that nothing is really truly safe. Of course if it doesn’t happen, then that means those anti-identity theft companies are doing it right!

But seriously, is this what it’s actually going to take to get customers and employees to start actively demanding that companies take more responsibility for the information they either willingly give them, or are forced to give them for the ‘privilege’ of doing business with their firms or to get a job? I personally believe that in the realm of information security, people will have to be backed into a corner, with nowhere left to turn before they get fed up with these companies and government organizations to take information security as seriously as it needs to be taken in this day and age.

Credit monitoring is a band-aid for the victims of a data breach and ‘cyber’ insurance is a crutch for the companies and organizations that are willing to pay the premiums rather than properly allocate sufficient resources to properly secure user’s data. Don’t believe me? Let a user’s cable, internet or cell phone access go down for even a few minutes and you will see hell raised with a fury! Just ask any service providers customer service reps, they’ll tell you. So until companies either willingly start doing what is necessary to properly protect customers, or until users take it upon themselves to demand such protections, the title of this article is destined to come true.

Discuss…

Attiri-propaganda

No need to read a bunch into this, I’m simply writing this to confirm that attribution is the new propaganda. Shouldn't really even be surprised at this statement, but it needs to be said.

We all laugh and make jokes about attribution and how much bullshit revolves around this particular subject, but the plain and simple truth of the matter is that when the media talks about the attribution associated with most data breaches and stolen PII, the general public only sees one thing, whatever BS is spouted out. It doesn't matter if it’s CNN, MSNBC or Fox, the fact of the matter is that now attribution is being used as propaganda to sway the general population to whatever means is politically expedient at the moment.

It could be China, North Korea, the Russians, Anonymous, or any number of other “actors” that happen to be convenient at the time, and while a lot of this may be true, the means and uses of these disclosures are still suspect in my opinion, after all, we still don’t even know who pulled off the Sony hack right? I’m not trying to get too deep into the weeds with this, I’m just saying that we need to look outside our echo chamber and into the real world of normal people and what they think and believe about what they see when they see the things that the news reports. People believe what they want to believe and they are being pointed to conclusions that may or may not be true.

So, to my initial point, attribution is being used as propaganda. No surprise there right? I know the people that are reading this know the deal, so I’ll just stop for now…

STD’s

Security, Tactics and Defenses

Note: This post is NOT about sex or porn, not really, but kinda, but no…

So, was listening to Paul’s Security Weekly podcast (@securityweekly) and they were talking about vulns and rankings and how they affect companies, and how CVE rankings aren't always relative to a company’s security policies because there’s no one size fits all method for a particular organizations.  So I had this idea about how security vulns relate to different organizations and how different diseases relates to the human body. I almost didn’t write this because Paul said he hated the medical references, but then he brought up a plot line from CSI: Cyber and I felt better about it…

So, much like was discussed on their show, not every company is vulnerable to every exploit out there, no matter how severe. Much like, if you’re a non-smoker you’re mostly not going to get lung cancer, although this is not always the case, but the odds are easily relatable. However, on the flip side, if there is a new virus out there, both companies and people can be affected by it (no, I didn't mean that the same virus can affect computers and people, so just stop that). Here are a few examples, you can run with it as you wish.

Case 1: Let’s say we have two people, Person A’s family has a history of heart disease and person B’s family doesn't have any history in their family of heart disease. Now, since person A knows this information, they pay very close attention to how they eat, going to regular doctor visits and exercising so they reduce their risks that they know they could potentially cause problems. This is a great security practice for an organization because they have identified that they could have issues if they just do nothing. But person B, not having a history of this issue, doesn't worry about all these preventive measures and just does what they want to do, eating everything bad for most people, blowing off doctor visits and being a couch potato.  

In this example we have two people with varying risks practicing very different strategies. One person has identified the risk and are actively working on mitigating that risk, while the other person doesn't have the same risk, but they’re not taking into account all of the other outlining circumstances that could potentially have devastating impacts. In truth, both are still very vulnerable to heart disease. Even though person A has been actively trying to prevent having a heart attack, they can still have one but even if they do, they’re body is still more prepared for the aftermath because they were prepared. Now if the same thing happens to person B, they will more than likely be surprised and, more to the point, their bodies will not be strong enough to recover from such a traumatic event. So, even though you might not be vulnerable to a particular disease, you still can’t completely ignore the possibilities.

Case number one was very specific, so let’s take a look at case number two.

Case 2: Viruses.

They can potentially affect everyone, no matter what you do, especially if you do nothing! But let’s just say that different people do different things to help prevent getting sick from viruses and yet we all still get sick at some point in our life, because that is a fact of being a human being. It might be something we did or didn't do, something we didn't think about or just by dumb luck. However, how often we get sick and how well we recover is directly related to the things we do to prevent getting sick to begin with, wouldn't you say?

Let’s say that person A always makes sure they take their vitamins and they are trying to be healthy but one day they catch a bad bug. Now, since they thought they were safe because of all of their preventative measure, when they actually do get really sick, they don’t have any remediation medicines in their house to take to help reduce the impact of the infection and in the end, have to go to the doctor to get medicine to help them recover.

Now let’s move to person B, who doesn't really do a lot to prevent catching a bug, but when they do get one, they have a whole plethora of medicines in their household to help them recover from the virus without having to go to the doctor? The answer is simple in this case, both methods combined are the true path to take. You should always try to not get sick, but not to the extreme, just like you shouldn't take any preventative and just be prepared if you do get sick. In this case, you should try to make sure you’re being healthy but always know and be prepared that you will probably get sick and have a plan when/if you do.

So, now let’s all go out there and be smart and healthy, but not naïve! 

Baseline – Not the Dubstep You’re Looking For…

Disclaimer: I have no real world ISC/SCADA system or security experience, I’m just a guy that takes in information and thinks about a better ways to do things.

We've all heard about taking a “baseline” of your network environment so you have some way to gauge and detect any anomalous behavior on your systems to, hopefully, help catch any type of malicious activity before it gets out of control, or in the very least, have a good idea of where to start when performing IR if there is a network breach. And, like most of us that already work in well-established networks, we know how difficult and time consuming a task this would be. But in a well-designed ICS production environment, this might be a bit less traumatic experience than one might think.

First of all, if a production ICS network is properly segregated (as it should be) the traffic flowing over the network is really not that complex because the protocols used aren't that complex. Modbus, DNP3 and most of the other ICS protocols out there operate on very small frame sizes and command lists compared to other network protocols, so while there may be a lot of traffic flowing back and forth between a controller and a device, the commands being sent are known and can generally be predicated based on their configuration and what action the system is designed to perform. In other words, you’re not going to see your Smart-Meter or valve controller performing Google searches or streaming YouTube videos unless something has gone terribly wrong! (Yes, that was a terribly joke).

This being the case, an ICS production environment is ripe for baselining even if it’s already up and running (which most are). So this is the first step in beginning to secure an ICS production network and there really isn't any reason why this should not be happening right now in all major and even minor critical infrastructure environments. We all know this isn't the case, but it should be the case none the less. If critical infrastructure company can get over this first, daunting hurdle, keeping this baseline up to date can actually become relatively easy in the future. Let me explain…

Once the major baseline is established and the network engineers know what normal traffic looks like and what might be abnormal, it becomes much easier to tune inline controls to recognize and flag real warning signs that something maybe amiss in their systems. And at this point, maintaining this baseline can become very easy if the proper deployment controls are put into place when the engineers either have to replace a controller or deploy a new system.

I am sure (or hopeful, however you want to look at it) that when a new ICS controller is replaced due to failure or through a system upgrade, or anytime a new piece of equipment is going to be introduced into the system, extensive testing occurs to make sure the new device is function properly before being deployed into the production environment. This is only logical and makes perfect sense, but this is also the time to not only make sure the operation and control of the system is well established, but also the perfect time to baseline the new system’s network traffic as it’s being run through all normal  conditional testing. By imposing this new deployment protocol you can capture all of the communications of the system in its purest form and have a perfect baseline of what to expect its typical traffic to look like; from normal operational commands, to fault conditions, to extreme fail-safe actuation or any anomalous traffic that might indicate that someone is trying or has breached the network.

This can be helpful in any kind of network, but ICS/SCADA networks can greatly leverage this kind of process with more precision than any other network environment I can imagine, to great benefit not only to the company, but to the environment and to the consumers of the products produced by critical infrastructure companies.

</my_two_cents>

Discuss…

Of Cats and Security

So I was listening to Paul’s Security Weekly (@securityweekly) podcast last Thursday night when one of their guests, one Michael Santarcangelo (@catalyst), used the phrase, “Risk Catnip”. I almost fell on the floor laughing, as he weaved that phrase into his thought without any hesitation. It surprised everyone on the show and we all got a great laugh out of it.

The next day, since I loved that phrase so much, I decided to re-Tweet his phrase along with some other phrases ending with “catnip”. One of those phrases was “Threat Catnip”. A follower of mine by the name of @PeterGanzevles (Hacktic) replied with about the best response I believe I ever heard, he coined the term “Threatnip”, which got me thinking… (I know, I know, keep your jokes to yourself).

 

“Threatnip”, as it turns out, is actually a real thing and it’s used all the time as a lure to get executives to buy into Threat Intelligence products like reports, dashboards, blinky boxes and consultations. And much like catnip, once the prey has pounced on the lure and plays around a bit, the thrill is gone along with a considerable amount of money that could have been put to better use. Now I’m not saying that there is no use for Threat Intelligence, in fact, quite the opposite is true, but there has to be more than just the “Threat” part, because, as “Intelligence” implies, it must serve as a function of a continuous cycle of security posture improvement.

The morale of this short story is this: don’t be a “Threatnip” peddler, be a total solutions provider!

Here are some people that are much wiser than I on this subject:

Developing and Open Source Threat Intelligence Program

Edward McCabe (@edwardmccabe):

Evaluating Commercial Cyber Threat Intelligence

John Berger

Beyond the Buzzwords: Why You Need Threat Intelligence

Rafal Los (@Wh1t3Rabbit)

3NCRYP7ION is NOT a Crime!

3ncryp7ion is NOT a Crime!

Editors Note: In the first posting of the article, in my rush to get a blog post up I did not do my research thoroughly and I falsely attributed some statements to the French PM.  I have since edited this post, removing those incorrect statements and providing a link as a reference.  

This project came to light because of the recent terrorist attacks in France; a sad day indeed for the people of France, the families of those slain and for freedom of expression. The response by the people of France and the world was an amazing thing to witness, peoples of every nation banding together in solidarity to stand up against those that would attempt to quell freedom of expression, but then, some equally horrifying happened. Just days after the events and the rallies and marches, some European leaders, namely British PM David Cameron came out and floated some ideas for new laws that would weaken or eventually cripple encryption!  What the Verge called a "European Patriot Act". What irony there was in that statement and the follow up by other countries struggle to fight terrorism, support freedom of expression, but staunch privacy rights!

This did not sit well with me and many others in our community so I decided to do something about it, raise awareness and some money to help defend and educate people about not only encryption, but about privacy rights in general. So I created a shirt. Yeah, I know how it all sounds, but what better way to show your support and hopefully, get others to think about exactly how serious this issue is to everyone, even if they don't know why encryption is so important. If even one person asks you about your shirt and what it means, you'll have the opportunity to educate someone that might otherwise never have even bothered to think about this issue.

To order your shirt(s), go here -> 3ncryp7ion is NOT a Crime!

100% of the proceeds will go to somegreat charities, namely, Hackers for Charities and the EFF.
Hackers for Charities is doing great work in Africa to not only educate people in the use of computers, but also providing training for people who want to gain employment in the field. They also help provide internet access to remote villages and people that otherwise might not ever have that opportunity.
The EFF (Electronic Frontier Foundation) does a lot of work on behalf of computer users and the general public world wide by raising awareness of the various laws that are written involving computers and their communications and monitoring,

Please check out the charities here and when ordering, please specify which charity you would like to receive your money. (all un-allocated funds will be split between the two charities equally)

Hackers for Charities

EFF

Thanks to everyone for your support and encouragement in this project. It means a lot to me and I can see that it means a lot to many of you as well! I would also encourage other, more well-known bloggers out there to take up this cause and help raise awareness of the madness that is being proposed the help keep us "SAFE"

NOTE: For anyone ordering shirts that require international shipping, the shirt site does NOT support this, but I do and I will make that happen. just click on the Contact link on the site and send me an email with your order request and I will get back to you with the details.

Wi Fight?

So, we have TV shows and movies coming out that show “hackers” doing magical things with computers and we have the added hype from the MSM that shake in fear when a Twitter account gets hacked (really just pwned because of bad passwords, etc.) or when a gaming network has been taken offline using tools, that, well, anyone can use even if they only have basic computer skills and the money to rent a botnet.

And the result of such ignorance and misinformation? Changes to current laws that can practically make anyone in information security a criminal under the right circumstances. I’m not going to delve into that aspect, as Robert Graham has already addressed these issues in a great blog post today. Please read this, if you have not already: http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLcCZyvF9ps

As I perused the proposed changes to the current laws, I noticed something that really stuck out to me, the recurrence of this and similar phrases; “…or facilitate the commission of…” said crime. This line got me thinking, what do I possess that could be classified under that statement? Well, I have a TP-LINK WiFi adapter that can be initialized in promiscuous mode that can sniff WiFi traffic and using some simple programs actually capture this traffic. I also have a WiFi Pineapple that can accomplish the same tasks and a great deal more!

Do these devices make me a criminal? Does watching You Tube videos on how to best leverage these devices (on a perfectly and still legal pentest) make me a criminal? Sure, there is no “intent” here, but the equipment and knowledge can “facilitate”. And this is just hardware, not the software distros that are out there that make these tools even more effective, like Kali Linux, Pentoo, Pwnie Express, just to list a few.

Another, passive, but “facilitating” concept that is frequently used, even by hobbyist in the field, is wardriving, using programs like WiGLE that log and map SSID’s of a range of devices, even providing GPS locations of said devices. Will possession, let alone use, of such applications now be criminal offenses?

The answer, as it stands today, is most likely none of these devices and techniques will be “technically” illegal if the laws are changed, just because of the sheer volume of what’s already out there and the amount of people using them, but, as Jack Daniel said earlier today, “it depends on the aspirations of the prosecutor” on where these lines are drawn.

But, as we all well know, once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary, will eventually become targets, for any number of reasons that some ambitious prosecutor can conjure.

NOTE: Consider this… A great and award winning journalist, and a person that a great many people in information security admire and trust as an authoritative source when it comes to data breaches, namely Brian Krebs, could easily be a prime target under these new laws. Just let that sink in for a moment.

ACTION: Take action, write your local federal legislators, try to engage them in a dialogue and inform them of what our community is really about, educate anyone and everyone you can, encourage discourse on the matter before it’s too late.

SUPPORT:

All the journalist and bloggers out there that have the courage to report and speak out about the truth of things.

Support groups that, on their own time, are fighting the good fight every day, like:

#MalwareMustDie

#WeAreTheCavalry

#WeAreTheArtillery

And other groups and individuals, for they are the militia of the internet as we know it!

(I)nternet (C)onnected (S)tuff

So yeah, there was a Target thing, a Home Depot thing, a J.P. Morgan thing and even a Sony thing. Was it bad, yeah, sorta, if you consider that some of our largest corporations were owned in a solid manner and, in some instances, it took months to even discover the breaches. But ironically, the most discussed incursion is the Sony hack, which in retrospect, is really nothing since it’s just an entertainment company (this statement, in no way minimizes the affect this incident had on the innocent employees and their personal information that was leaked). And yet with all the press this Sony debacle is getting these days, especially when the FBI is firmly sticking to “it was North Korea that pulled it off”, people seem to have lost sight of a major area of concern for our nation’s security and that is our ICS and SCADA infrastructure. 

We always hear about the IoT (Internet of Things) and how it will be a hackers paradise, being able to make toasters and refrigerators do all sorts of dastardly deeds, but there is another IoT that concerns me more than all of the other attack vectors combined, and that is our critical infrastructure, which, according to many experts is ripe for the picking. And if there are real nation-state actors out there that want to hurt us (and I believe there are), then they won’t be popping Target, Sony or Cuisinart, they’ll be targeting the systems that we rely on every day.

Just writing what I have so far I feel like I’ve already rehashed a lot of what has been reported for months on end, but I also feel that the truth needs to be repeated so everyone understands just how important these issues really are to our country’s very existence. Most of you work in private sector positions, fighting the good fight to keep our PII safe, and this is needed very much these days, but there is also a great need for the same kind of tenacity in the ICS/SCADA world. And, if you think it tough to evoke change in your particular organization, just think about how hard that same task is in the even larger world of the major utilities like power, nuclear, transportation, oil and gas, because when things go wrong in these areas, people can die and no cyber-insurance policy will ever be able to cover that adequately.

To be honest, I have no experience at all in any kind of ICS or SCADA environment (and very little real experience in the general infosec field), but I can say that if an event on the level of the Sony incident would have happened to one of our critical infrastructure assets, then the United States would be in a very vulnerable state at this moment.

Even though the Sony story is important in a great many aspects, there are bigger fish to fry out there and we’re deathly close to being in that frying pan. So if we really want to be concerned about the “nation-state” actors, we should be more concerned with our critical infrastructure and not so much with the breach of a Japanese based entertainment company.


REVISIONS:

1. As a general note, all governmental agencies need to cooperate with our critical infrastructure firms BEFORE the $hit hits the fan, not after the fact.

2. Disclaimer: To the authors knowledge, at no time were any squirrels harmed during the writing and revising of this post. however, we do not know if they reciprocated in kind. 

Note: A very special thank you to @chrissistrunk for his insight on this piece. Wanna know more about ICS, then he’s your man!